1. Patchew
  2. QEMU
  3. View series

[Qemu-devel] [PATCH for-2.9] nbd/client: fix drop_sync [CVE-2017-2630]

Eric Blake posted 1 patch 7 years, 1 month ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20170306223054.25666-1-eblake@redhat.com
Test checkpatch passed
Test docker passed
There is a newer version of this series
nbd/client.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[Qemu-devel] [PATCH for-2.9] nbd/client: fix drop_sync [CVE-2017-2630]
Posted by Eric Blake 7 years, 1 month ago 
From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>

Comparison symbol is misused. It may lead to memory corruption.
Introduced in commit 7d3123e.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20170203154757.36140-6-vsementsov@virtuozzo.com>
[eblake: add CVE details]
Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Marc-André Lureau <address@hidden>
---

This one still hasn't been merged in; sending separately since the
rest of my NBD series is now 2.10 material:
https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04528.html

 nbd/client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nbd/client.c b/nbd/client.c
index 5c9dee3..165b33e 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size)
     char small[1024];
     char *buffer;

-    buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size));
+    buffer = sizeof(small) > size ? small : g_malloc(MIN(65536, size));
     while (size > 0) {
         ssize_t count = read_sync(ioc, buffer, MIN(65536, size));

-- 
2.9.3
Re: [Qemu-devel] [PATCH for-2.9] nbd/client: fix drop_sync [CVE-2017-2630]
Posted by Philippe Mathieu-Daudé 7 years, 1 month ago 
Hi Vladimir,

On 03/06/2017 07:30 PM, Eric Blake wrote:
> From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
>
> Comparison symbol is misused. It may lead to memory corruption.
> Introduced in commit 7d3123e.
>
> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
> Message-Id: <20170203154757.36140-6-vsementsov@virtuozzo.com>
> [eblake: add CVE details]
> Signed-off-by: Eric Blake <eblake@redhat.com>
> Reviewed-by: Marc-André Lureau <address@hidden>
> ---
>
> This one still hasn't been merged in; sending separately since the
> rest of my NBD series is now 2.10 material:
> https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04528.html
>
>  nbd/client.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/nbd/client.c b/nbd/client.c
> index 5c9dee3..165b33e 100644
> --- a/nbd/client.c
> +++ b/nbd/client.c
> @@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size)
>      char small[1024];
>      char *buffer;
>
> -    buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size));
> +    buffer = sizeof(small) > size ? small : g_malloc(MIN(65536, size));

here ">=" seems correct/safe.
(if size is 1024, use small stack buffer too).

>      while (size > 0) {
>          ssize_t count = read_sync(ioc, buffer, MIN(65536, size));
>
Re: [Qemu-devel] [PATCH for-2.9] nbd/client: fix drop_sync [CVE-2017-2630]
Posted by Vladimir Sementsov-Ogievskiy 7 years, 1 month ago 
07.03.2017 03:10, Philippe Mathieu-Daudé wrote:
> Hi Vladimir,
>
> On 03/06/2017 07:30 PM, Eric Blake wrote:
>> From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
>>
>> Comparison symbol is misused. It may lead to memory corruption.
>> Introduced in commit 7d3123e.
>>
>> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
>> Message-Id: <20170203154757.36140-6-vsementsov@virtuozzo.com>
>> [eblake: add CVE details]
>> Signed-off-by: Eric Blake <eblake@redhat.com>
>> Reviewed-by: Marc-André Lureau <address@hidden>
>> ---
>>
>> This one still hasn't been merged in; sending separately since the
>> rest of my NBD series is now 2.10 material:
>> https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04528.html
>>
>>  nbd/client.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/nbd/client.c b/nbd/client.c
>> index 5c9dee3..165b33e 100644
>> --- a/nbd/client.c
>> +++ b/nbd/client.c
>> @@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size)
>>      char small[1024];
>>      char *buffer;
>>
>> -    buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size));
>> +    buffer = sizeof(small) > size ? small : g_malloc(MIN(65536, size));
>
> here ">=" seems correct/safe.
> (if size is 1024, use small stack buffer too).

Agree.

>
>>      while (size > 0) {
>>          ssize_t count = read_sync(ioc, buffer, MIN(65536, size));
>>


-- 
Best regards,
Vladimir
Re: [Qemu-devel] [PATCH for-2.9] nbd/client: fix drop_sync [CVE-2017-2630]
Posted by Eric Blake 7 years, 1 month ago 
On 03/06/2017 04:30 PM, Eric Blake wrote:
> From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
> 
> Comparison symbol is misused. It may lead to memory corruption.
> Introduced in commit 7d3123e.
> 
> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
> Message-Id: <20170203154757.36140-6-vsementsov@virtuozzo.com>
> [eblake: add CVE details]
> Signed-off-by: Eric Blake <eblake@redhat.com>
> Reviewed-by: Marc-André Lureau <address@hidden>

Blergh. This R-b isn't correct.

Sending v2 with fixed attributions, and with >= instead of >.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.